1.3 k

User Claims Airdropped ApeCoins by Exploiting Whitelist Oversight

Through a sophisticated chain of transactions, an anonymous user cunningly grabbed $1.1 million from the ApeCoin Airdrop. Despite sticking to the allowed rules of purchase, the user managed to exploit the system.

ApeCoin Launch

On Thursday, the famous designers of the Bored Ape Yacht Club, Yuga Labs, launched an exclusive airdrop containing ApeCoin(APE) tokens. The launch notably spiked Ethereum gas prices barely hours after it began.

Following the launch, designers Yuga Labs offered 15% of a billion ApeCoin tokens to Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club collectors. The collective value of these BAYC tokens amounts to approximately $800 million. The offering split 10,094 APE units to each NFT holder, which is worth around $80,000 to $200,000.  

However, a user found a way to benefit from the airdrop without owning any BAYC NFTs. They successfully claimed free APEs by exploiting the algorithm used for allocating tokens in the Airdrop. In effect, they snatched up $1.1 million worth of ApeCoins.

How They Outsmarted the Airdrop Process

Here’s how they pulled off the stunt. The system only picked qualified candidates for the airdrop based on the current owners of BAYC. Without factoring in ownership history, individuals that gain possession of Bored Ape NFTs right before the airdrop are included in the giveaway. This way, one can take advantage of the system by momentarily owning BAYC NFTs for the airdrop.

In a nutshell, one could lend Bored Apes simply for the purpose of benefiting from the airdrop, then return the NFT back to the owner shortly after. 

To execute the con, the person first found a vault containing five BAYCs that haven’t been redeemed for ApeCoins. 

Vaults are used to tokenize NFTs. People can collect a couple of NFTs and place them in a vault. By so doing, the NFTs become tokens that owners can sell or stake to earn rewards. In the same way, people can turn these tokens back to their respective NFTs. 

To secure unclaimed Bay Apes, the actor used a vault built on NFTX. This vault housed five BAYCs; #8167, #9915, #4755, #7594. According to the floor price, the collective value of these NFTs results in $1.4 million. The Bay Apes sat idly in the vault, neither belonging nor controlled by anyone. As a result, nobody had redeemed them for ApeCoin tokens.

However, the person wanted to gain possession of them solely for claiming the airdropped APEs since buying them would have cost a fortune. To workaround this hitch, they sought after DeFi loans. 

Deploying Flash Loans in Flash Steal

Flash loans are a handy way to borrow crypto in large quantities on the DeFi space. These loans have a low-risk structure. The protocol used for processing the loan transactions ensures the return of debts. 

The APE token snatcher bought a BAYC NFT on OpenSea for less than $300,000, then used it as collateral to collect a flash loan. With the loaned funds, they redeemed five Bored Apes from the NFTX vault. 

Hence, they were able to claim the APE airdrop with the NFTs from the vault. They exchanged the tokens acquired for 399 ETH (~$1.1 million) on Uniswap. The person returned the Bored Apes to the vault, converting them back to tokens. Lastly, they used the tokens to clear their flash loan debt. 

Whitelists, White Hacks, and Acceptance

While there have been plaudits directed at the anonymous user for a possible genius attempt, some labeled the whole operation an attack. The user exploits holes in the airdrop process’ allowlist.

Blockchain security firm, BlockSec Team insists the user could as well have been a black hat attacker. The security firm suggests the attack is similar to previous black-hat maneuvers with prices. 

Bitcoin live price
price change

Recently, a white-hat hacker spotted a “whitelist” vulnerability in Coinbase’s algorithm and received a bounty reward. In this case, however, an exploit took place without warning reports, and definitely no noble bounty rewards.

Stay up to date with our latest articles